Re: F27 Self Contained Change: Samba AD
Il giorno gio, 27/07/2017 alle 15.16 +0200, Dario Lesca ha scritto: > > But the folder is not accessible from bind user: > # ll -ld /var/lib/samba/private/ > drwx--. 6 root root 4096 27 lug 13.46 /var/lib/samba/private/ > > then I have change it with: > # chmod g+rx /var/lib/samba/private/ > # chgrp named /var/lib/samba/private/ > > I have fill this bug https://bugzilla.redhat.com/show_bug.cgi?id=1476175 > # systemctl start named > > I get this error: > > lug 27 14:39:53 server-addc.dom.loc named[2418]: samba_dlz: Failed to > connect to /var/lib/samba/private/dns/sam.ldb > lug 27 14:39:53 server-addc.dom.loc named[2418]: dlz_dlopen of 'AD > DNS Zone' failed > lug 27 14:39:53 server-addc.dom.loc named[2418]: SDLZ driver failed > to load. > lug 27 14:39:53 server-addc.dom.loc named[2418]: DLZ driver failed to > load. > lug 27 14:39:53 server-addc.dom.loc named[2418]: loading > configuration: failure > lug 27 14:39:53 server-addc.dom.loc named[2418]: exiting (due to > fatal error) > lug 27 14:39:53 server-addc.dom.loc systemd[1]: named.service: > Control process exited, code=exited status=1 > lug 27 14:39:53 server-addc.dom.loc systemd[1]: Failed to start > Berkeley Internet Name Domain (DNS). > lug 27 14:39:53 server-addc.dom.loc systemd[1]: named.service: Unit > entered failed state. > lug 27 14:39:53 server-addc.dom.loc systemd[1]: named.service: Failed > with result 'exit-code'. > > And this: https://bugzilla.redhat.com/show_bug.cgi?id=1476187 -- Dario Lesca (inviato dal mio Linux Fedora 26 Workstation) ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: F27 Self Contained Change: Samba AD
Il giorno gio, 27/07/2017 alle 15.16 +0200, Dario Lesca ha scritto: > Il giorno gio, 06/07/2017 alle 15.44 +0300, Alexander Bokovoy ha > . > But when I start bind with: > > # systemctl start named > > I get this error: > > lug 27 14:39:53 server-addc.dom.loc named[2418]: samba_dlz: Failed to > connect to /var/lib/samba/private/dns/sam.ldb > lug 27 14:39:53 server-addc.dom.loc named[2418]: dlz_dlopen of 'AD > DNS Zone' failed > lug 27 14:39:53 server-addc.dom.loc named[2418]: SDLZ driver failed > to load. > > If I start named as root (without systemd ) with this command: > > # /usr/sbin/named -u named -c /etc/named.conf > > All work fine > > Some suggest? If I run # setenforce 0 and # systemctrl start named The service start without error. Then is a selinux problem, but into /var/log/audit/audit.log or journalctl I don't see any warning Some suggest? -- Dario Lesca (inviato dal mio Linux Fedora 26 Workstation) ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: F27 Self Contained Change: Samba AD
Il giorno gio, 27/07/2017 alle 15.39 +0200, Zdenek Sedlak ha scritto:
> How does the unit file look like?
Do you mean that:
> # cat /usr/lib/systemd/system/named.service
> [Unit]
> Description=Berkeley Internet Name Domain (DNS)
> Wants=nss-lookup.target
> Wants=named-setup-rndc.service
> Before=nss-lookup.target
> After=named-setup-rndc.service
> After=network.target
>
> [Service]
> Type=forking
> Environment=NAMEDCONF=/etc/named.conf
> EnvironmentFile=-/etc/sysconfig/named
> Environment=KRB5_KTNAME=/etc/named.keytab
> PIDFile=/run/named/named.pid
>
> ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then
> /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files
> is disabled"; fi'
> ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS
>
> ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill
> -HUP $MAINPID'
>
> ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM
> $MAINPID'
>
> PrivateTmp=true
>
> [Install]
> WantedBy=multi-user.target
>
--
Dario Lesca
(inviato dal mio Linux Fedora 26 Workstation)
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: F27 Self Contained Change: Samba AD
Il giorno gio, 27/07/2017 alle 15.39 +0200, Zdenek Sedlak ha scritto: > How does the unit file look like? where or how to I can see that? -- Dario Lesca (inviato dal mio Linux Fedora 26 Workstation) ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: F27 Self Contained Change: Samba AD
On 2017-07-27 15:16, Dario Lesca wrote:
> Il giorno gio, 06/07/2017 alle 15.44 +0300, Alexander Bokovoy ha
> scritto:
>> So, we pushed 4.7.0-RC1 to Rawhide. Also, asn/samba_ad_dc COPR repo
>> contains a rebuild for F25 and F26. Feel free to test that.
> Today I have start to try f27+samba4.7.
>
> Download and install Fedora 27 server rawhide
> https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Serve
> r/x86_64/iso/Fedora-Server-netinst-x86_64-Rawhide-20170724.n.0.iso
>
> Install samba-dc:
> # dnf install samba-client samba-dc samba-winbind attr acl krb5-workstation
> tdb-tools samba-winbind-clients python
>
> Install Bind:
> # dnf -y install bind bind-utils
>
> Run samba-tool
> # samba-tool domain provision \
> --realm=dom.loc \
> --domain=dom \
> --dns-backend=BIND9_DLZ \
> --use-rfc2307 \
> --server-role=dc \
> --function-level=2008_R2 \
>
> I have must remove this option: --use-xattr=yes , there is no more
>
> Than I have to try configure bind and add into /etc/named.conf this:
>
>tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>
>include "/var/lib/samba/private/named.conf";
>
> NOTE: the files to include have the right access:
> # ll /var/lib/samba/private/{dns.keytab,named.conf}
> -rw-r-. 1 root named 772 27 lug 13.46 /var/lib/samba/private/dns.keytab
> -rw-r--r--. 1 root root 720 27 lug 13.46 /var/lib/samba/private/named.conf
>
> But the folder is not accessible from bind user:
> # ll -ld /var/lib/samba/private/
> drwx--. 6 root root 4096 27 lug 13.46 /var/lib/samba/private/
>
> then I have change it with:
> # chmod g+rx /var/lib/samba/private/
> # chgrp named /var/lib/samba/private/
>
> But when I start bind with:
>
> # systemctl start named
>
> I get this error:
>
> lug 27 14:39:53 server-addc.dom.loc named[2418]: samba_dlz: Failed to connect
> to /var/lib/samba/private/dns/sam.ldb
> lug 27 14:39:53 server-addc.dom.loc named[2418]: dlz_dlopen of 'AD DNS Zone'
> failed
> lug 27 14:39:53 server-addc.dom.loc named[2418]: SDLZ driver failed to load.
> lug 27 14:39:53 server-addc.dom.loc named[2418]: DLZ driver failed to load.
> lug 27 14:39:53 server-addc.dom.loc named[2418]: loading configuration:
> failure
> lug 27 14:39:53 server-addc.dom.loc named[2418]: exiting (due to fatal error)
> lug 27 14:39:53 server-addc.dom.loc systemd[1]: named.service: Control
> process exited, code=exited status=1
> lug 27 14:39:53 server-addc.dom.loc systemd[1]: Failed to start Berkeley
> Internet Name Domain (DNS).
> lug 27 14:39:53 server-addc.dom.loc systemd[1]: named.service: Unit entered
> failed state.
> lug 27 14:39:53 server-addc.dom.loc systemd[1]: named.service: Failed with
> result 'exit-code'.
>
> The sam.ldb is present and accessible by named:
>
> # ll -d /var/lib/samba/private/dns/sam.ldb
> -rw-rw. 1 root named 3014656 27 lug 13.46
> /var/lib/samba/private/dns/sam.ldb
> # ll -d /var/lib/samba/private/dns/
> drwxrwx---. 3 root named 38 27 lug 13.46 /var/lib/samba/private/dns/
> # ll -d /var/lib/samba/private/
> drwxr-x---. 8 root named 4096 27 lug 15.10 /var/lib/samba/private/
>
> If I start named as root (without systemd ) with this command:
>
> # /usr/sbin/named -u named -c /etc/named.conf
>
> All work fine
>
> Some suggest?
>
> Many thanks
>
How does the unit file look like?
//Zdenek
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: F27 Self Contained Change: Samba AD
Il giorno gio, 06/07/2017 alle 15.44 +0300, Alexander Bokovoy ha
scritto:
> So, we pushed 4.7.0-RC1 to Rawhide. Also, asn/samba_ad_dc COPR repo
> contains a rebuild for F25 and F26. Feel free to test that.
Today I have start to try f27+samba4.7.
Download and install Fedora 27 server rawhide
https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Serve
r/x86_64/iso/Fedora-Server-netinst-x86_64-Rawhide-20170724.n.0.iso
Install samba-dc:
# dnf install samba-client samba-dc samba-winbind attr acl krb5-workstation
tdb-tools samba-winbind-clients python
Install Bind:
# dnf -y install bind bind-utils
Run samba-tool
# samba-tool domain provision \
--realm=dom.loc \
--domain=dom \
--dns-backend=BIND9_DLZ \
--use-rfc2307 \
--server-role=dc \
--function-level=2008_R2 \
I have must remove this option: --use-xattr=yes , there is no more
Than I have to try configure bind and add into /etc/named.conf this:
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
include "/var/lib/samba/private/named.conf";
NOTE: the files to include have the right access:
# ll /var/lib/samba/private/{dns.keytab,named.conf}
-rw-r-. 1 root named 772 27 lug 13.46 /var/lib/samba/private/dns.keytab
-rw-r--r--. 1 root root 720 27 lug 13.46 /var/lib/samba/private/named.conf
But the folder is not accessible from bind user:
# ll -ld /var/lib/samba/private/
drwx--. 6 root root 4096 27 lug 13.46 /var/lib/samba/private/
then I have change it with:
# chmod g+rx /var/lib/samba/private/
# chgrp named /var/lib/samba/private/
But when I start bind with:
# systemctl start named
I get this error:
lug 27 14:39:53 server-addc.dom.loc named[2418]: samba_dlz: Failed to connect
to /var/lib/samba/private/dns/sam.ldb
lug 27 14:39:53 server-addc.dom.loc named[2418]: dlz_dlopen of 'AD DNS Zone'
failed
lug 27 14:39:53 server-addc.dom.loc named[2418]: SDLZ driver failed to load.
lug 27 14:39:53 server-addc.dom.loc named[2418]: DLZ driver failed to load.
lug 27 14:39:53 server-addc.dom.loc named[2418]: loading configuration: failure
lug 27 14:39:53 server-addc.dom.loc named[2418]: exiting (due to fatal error)
lug 27 14:39:53 server-addc.dom.loc systemd[1]: named.service: Control process
exited, code=exited status=1
lug 27 14:39:53 server-addc.dom.loc systemd[1]: Failed to start Berkeley
Internet Name Domain (DNS).
lug 27 14:39:53 server-addc.dom.loc systemd[1]: named.service: Unit entered
failed state.
lug 27 14:39:53 server-addc.dom.loc systemd[1]: named.service: Failed with
result 'exit-code'.
The sam.ldb is present and accessible by named:
# ll -d /var/lib/samba/private/dns/sam.ldb
-rw-rw. 1 root named 3014656 27 lug 13.46 /var/lib/samba/private/dns/sam.ldb
# ll -d /var/lib/samba/private/dns/
drwxrwx---. 3 root named 38 27 lug 13.46 /var/lib/samba/private/dns/
# ll -d /var/lib/samba/private/
drwxr-x---. 8 root named 4096 27 lug 15.10 /var/lib/samba/private/
If I start named as root (without systemd ) with this command:
# /usr/sbin/named -u named -c /etc/named.conf
All work fine
Some suggest?
Many thanks
--
Dario Lesca
(inviato dal mio Linux Fedora 26 Workstation)
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: F27 Self Contained Change: Samba AD
On ma, 03 heinä 2017, Dario Lesca wrote: Il giorno lun, 03/07/2017 alle 09.29 +0300, Alexander Bokovoy ha scritto: > When the firs (beta) F27 + samba 4.7 AD will be release, I will try > the upgrade on a test virtual environment. Sure! Thanks! I'll let you know So, we pushed 4.7.0-RC1 to Rawhide. Also, asn/samba_ad_dc COPR repo contains a rebuild for F25 and F26. Feel free to test that. Note that right now FreeIPA in rawhide (and other Fedora versions) is not binary compatbile with Samba 4.7.0. One needs to use https://github.com/freeipa/freeipa/pull/901 patchset to FreeIPA git master to fix incompatibilities. Hopefully, this patchset will get merged next week and we'll be able to get rawhide to a working state. I think in mid-August we can run a Test Day too. -- / Alexander Bokovoy ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: F27 Self Contained Change: Samba AD
Il giorno lun, 03/07/2017 alle 09.29 +0300, Alexander Bokovoy ha scritto: > > When the firs (beta) F27 + samba 4.7 AD will be release, I will try > > the upgrade on a test virtual environment. > > Sure! Thanks! I'll let you know -- Dario Lesca (inviato dal mio Linux Fedora 25 Workstation) ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: F27 Self Contained Change: Samba AD
On la, 01 heinä 2017, Dario Lesca wrote: Il giorno sab, 01/07/2017 alle 06.29 +0300, Alexander Bokovoy ha scritto: While there is no automatic upgrade to Samba AD is planned, we'd like to ensure smooth distribution upgrade. Does this mean? I have on Fedora 25 + samba 4.5.x rebuild with this spec modify (and some other): -%global with_mitkrb5 1 -%global with_dc 0 +%global with_mitkrb5 0 +%global with_dc 1 Then now I use the Heimdal Kerberos, not MIT kerberos When fedora 27 + samba AD will come, how can I migrate the server? By standing up a new DC and then removing the old DC from the topology. I don't think we ever going to support any other upgrade path between Heimdal-based and MIT Kerberos-based Samba AD DCs. Is this the right procedure? If you just want to replace a DC with another DC, then you only need to add the new DC to the domain, let replication do its thing, transfer any FSMO roles from the old DC to the new DC, demote old DC and then turn off the old DC. https://lists.samba.org/archive/samba/2016-September/202802.html Yes, this is the right procedure. Or I can move the /var/lib/samba /etc/samba and some other stuff from old server to new server? While we tried to maintain the same ldb content between the backends, there is no guarantee that in-place upgrade would work here. It is too fragile to replace Heimdal build with MIT build on the same machine. When the firs (beta) F27 + samba 4.7 AD will be release, I will try the upgrade on a test virtual environment. Sure! -- / Alexander Bokovoy ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: F27 Self Contained Change: Samba AD
Il giorno sab, 01/07/2017 alle 06.29 +0300, Alexander Bokovoy ha scritto: > While there is no automatic upgrade to Samba AD is planned, > we'd like to ensure smooth distribution upgrade. Does this mean? I have on Fedora 25 + samba 4.5.x rebuild with this spec modify (and some other): > -%global with_mitkrb5 1 > -%global with_dc 0 > +%global with_mitkrb5 0 > +%global with_dc 1 Then now I use the Heimdal Kerberos, not MIT kerberos When fedora 27 + samba AD will come, how can I migrate the server? Is this the right procedure? > If you just want to replace a DC with another DC, then you only need > to add the new DC to the domain, let replication do its thing, > transfer any FSMO roles from the old DC to the new DC, demote old DC > and then turn off the old DC. https://lists.samba.org/archive/samba/2016-September/202802.html Or I can move the /var/lib/samba /etc/samba and some other stuff from old server to new server? When the firs (beta) F27 + samba 4.7 AD will be release, I will try the upgrade on a test virtual environment. Let me know Thanks -- Dario Lesca (inviato dal mio Linux Fedora 25 Workstation) ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: F27 Self Contained Change: Samba AD
On la, 01 heinä 2017, Dario Lesca wrote: Il giorno gio, 29/06/2017 alle 15.53 +0200, Jan Kurik ha scritto: = Proposed Self Contained Change: Samba AD = https://fedoraproject.org/wiki/Changes/Samba_AD This is a good news. I have implemented on Fedora 25 a samba 4.5.x rebuild with dc enable + bind dns + dncpd + ntpd How I can help you when first release of Fedora 27 + Samba 4.7 AD is ready ? Thanks. Testing would be a primary goal, especially dependencies and upgrades. While there is no automatic upgrade to Samba AD is planned, we'd like to ensure smooth distribution upgrade. -- / Alexander Bokovoy ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: F27 Self Contained Change: Samba AD
Il giorno gio, 29/06/2017 alle 15.53 +0200, Jan Kurik ha scritto: > = Proposed Self Contained Change: Samba AD = > https://fedoraproject.org/wiki/Changes/Samba_AD > This is a good news. I have implemented on Fedora 25 a samba 4.5.x rebuild with dc enable + bind dns + dncpd + ntpd How I can help you when first release of Fedora 27 + Samba 4.7 AD is ready ? Many thanks > -- Dario Lesca (inviato dal mio Linux Fedora 25 Workstation) ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
F27 Self Contained Change: Samba AD
= Proposed Self Contained Change: Samba AD = https://fedoraproject.org/wiki/Changes/Samba_AD Change owner(s): * Alexander Bokovoy * Andreas Schneider Samba AD is an open source implementation of an Active Directory set of tools and protocols. It allows Windows clients to be enrolled and managed using native Windows tools. In addition, Samba AD can serve as a domain controller for Fedora workstations and servers utilizing DCERPC, LDAP and Kerberos. == Detailed Description == Samba AD is an implementation of an Active Directory set of tools and protocols. It is developed and released as part of Samba suite. Upcoming Samba 4.7 release will contain changes to allow Samba AD to be built and used with MIT Kerberos. Prior to Samba 4.7 it was impossible to compile Samba AD with MIT Kerberos. As result, Samba AD was not packaged in Fedora. == Scope == * Proposal owners: Samba packages in Fedora already include a stub subpackage samba-dc that is going to be replaced with a full Samba AD implementation. Appropriate dependencies are already present in Fedora 27/Rawhide or will be added together with Samba 4.7 update. This mostly concerns upgrade of Samba-related libraries: libtevent, libldb, libtdb, and MIT Kerberos update to support new APIs added to accommodate Samba AD (already in Rawhide). * Other developers: N/A (not a System Wide Change) * Release engineering: - https://pagure.io/releng/issue/6869 - We believe no impact to Release Engineering is needed for this change * List of deliverables: N/A (not a System Wide Change) * Policies and guidelines: N/A (not a System Wide Change) * Trademark approval: N/A (not needed for this Change) -- Jan Kuřík Platform & Fedora Program Manager Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic ___ devel-announce mailing list -- devel-announce@lists.fedoraproject.org To unsubscribe send an email to devel-announce-le...@lists.fedoraproject.org
F27 Self Contained Change: Samba AD
= Proposed Self Contained Change: Samba AD = https://fedoraproject.org/wiki/Changes/Samba_AD Change owner(s): * Alexander Bokovoy * Andreas Schneider Samba AD is an open source implementation of an Active Directory set of tools and protocols. It allows Windows clients to be enrolled and managed using native Windows tools. In addition, Samba AD can serve as a domain controller for Fedora workstations and servers utilizing DCERPC, LDAP and Kerberos. == Detailed Description == Samba AD is an implementation of an Active Directory set of tools and protocols. It is developed and released as part of Samba suite. Upcoming Samba 4.7 release will contain changes to allow Samba AD to be built and used with MIT Kerberos. Prior to Samba 4.7 it was impossible to compile Samba AD with MIT Kerberos. As result, Samba AD was not packaged in Fedora. == Scope == * Proposal owners: Samba packages in Fedora already include a stub subpackage samba-dc that is going to be replaced with a full Samba AD implementation. Appropriate dependencies are already present in Fedora 27/Rawhide or will be added together with Samba 4.7 update. This mostly concerns upgrade of Samba-related libraries: libtevent, libldb, libtdb, and MIT Kerberos update to support new APIs added to accommodate Samba AD (already in Rawhide). * Other developers: N/A (not a System Wide Change) * Release engineering: - https://pagure.io/releng/issue/6869 - We believe no impact to Release Engineering is needed for this change * List of deliverables: N/A (not a System Wide Change) * Policies and guidelines: N/A (not a System Wide Change) * Trademark approval: N/A (not needed for this Change) -- Jan Kuřík Platform & Fedora Program Manager Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
